opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-08-06 19:44:14 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #17127 from mupuf/tty_devices_for_all

Browse Source 
Make rootless privileged containers share the same tty devices as rootfull ones
This commit is contained in:
OpenShift Merge Robot
2023-01-17 05:07:56 -05:00
committed by GitHub
parent 07ba51d77a 8db2b4b733
commit abfca47d32
4 changed files with 48 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
docs/source/markdown/options/privileged.md
View File

@ -9,7 +9,9 @@ Give extended privileges to this container. The default is **false**.
By default, Podman containers are unprivileged (**=false**) and cannot, for By default, Podman containers are unprivileged (**=false**) and cannot, for
example, modify parts of the operating system. This is because by default a example, modify parts of the operating system. This is because by default a
container is only allowed limited access to devices. A "privileged" container container is only allowed limited access to devices. A "privileged" container
is given the same access to devices as the user launching the container. is given the same access to devices as the user launching the container, with
the exception of virtual consoles (_/dev/tty\d+_) when running in systemd
mode (**--systemd=always**).
A privileged container turns off the security features that isolate the A privileged container turns off the security features that isolate the
container from the host. Dropped Capabilities, limited devices, read-only mount container from the host. Dropped Capabilities, limited devices, read-only mount

1
docs/source/markdown/options/systemd.md
View File

@ -24,6 +24,7 @@ Running the container in systemd mode causes the following changes:
* Podman sets the default stop signal to **SIGRTMIN+3**. * Podman sets the default stop signal to **SIGRTMIN+3**.
* Podman sets **container_uuid** environment variable in the container to the * Podman sets **container_uuid** environment variable in the container to the
first 32 characters of the container id. first 32 characters of the container id.
* Podman will not mount virtual consoles (_/dev/tty\d+_) when running with **--privileged**.
This allows systemd to run in a confined container without any modifications. This allows systemd to run in a confined container without any modifications.

24
pkg/util/utils_linux.go
View File

@ -7,7 +7,6 @@ import (
"os" "os"
"path" "path"
"path/filepath" "path/filepath"
"strings"
"syscall" "syscall"
"github.com/containers/podman/v4/libpod/define" "github.com/containers/podman/v4/libpod/define"
@ -107,7 +106,18 @@ func AddPrivilegedDevices(g *generate.Generator, systemdMode bool) error {
Source: d.Path, Source: d.Path,
Options: []string{"slave", "nosuid", "noexec", "rw", "rbind"}, Options: []string{"slave", "nosuid", "noexec", "rw", "rbind"},
} }
if d.Path == "/dev/ptmx" || strings.HasPrefix(d.Path, "/dev/tty") {
/* The following devices should not be mounted in rootless containers:
*
* /dev/ptmx: The host-provided /dev/ptmx should not be shared to
* the rootless containers for security reasons, and
* the container runtime will create it for us
* anyway (ln -s /dev/pts/ptmx /dev/ptmx);
* /dev/tty[0-9]+: Prevent the container from taking over the host's
* virtual consoles, even when not in systemd mode
* for backwards compatibility.
*/
if d.Path == "/dev/ptmx" || isVirtualConsoleDevice(d.Path) {
continue continue
} }
if _, found := mounts[d.Path]; found { if _, found := mounts[d.Path]; found {
@ -121,6 +131,16 @@ func AddPrivilegedDevices(g *generate.Generator, systemdMode bool) error {
} }
} else { } else {
for _, d := range hostDevices { for _, d := range hostDevices {
/* Restrict access to the virtual consoles *only* when running
* in systemd mode to improve backwards compatibility. See
* https://github.com/containers/podman/issues/15878.
*
* NOTE: May need revisiting in the future to drop the systemd
* condition if more use cases end up breaking the virtual terminals
* of people who specifically disable the systemd mode. It would
* also provide a more consistent behaviour between rootless and
* rootfull containers.
*/
if systemdMode && isVirtualConsoleDevice(d.Path) { if systemdMode && isVirtualConsoleDevice(d.Path) {
continue continue
} }

25
test/system/030-run.bats
View File

@ -952,10 +952,29 @@ $IMAGE--c_ok" \
run_podman stop -t 0 $cid run_podman stop -t 0 $cid
} }
# 16925: --privileged + --systemd = share non-virtual-terminal TTYs @test "podman run --privileged as rootless will not mount /dev/tty\d+" {
@test "podman run --privileged as root with systemd mounts non-vt /dev/tty devices" { skip_if_not_rootless "this test as rootless"
skip_if_rootless "this test only makes sense as root"
# First, confirm that we _have_ /dev/ttyNN devices on the host.
# ('skip' would be nicer in some sense... but could hide a regression.
# Fedora, RHEL, Debian, Ubuntu, Gentoo, all have /dev/ttyN, so if
# this ever triggers, it means a real problem we should know about.)
vt_tty_devices_count=$(find /dev -regex '/dev/tty[0-9].*' | wc -w)
assert "$vt_tty_devices_count" != "0" \
"Expected at least one /dev/ttyN device on host"
run_podman run --rm -d --privileged $IMAGE ./pause
cid="$output"
run_podman exec $cid sh -c "find /dev -regex '/dev/tty[0-9].*' | wc -w"
assert "$output" = "0" \
"ls /dev/tty[0-9]: should have no ttyN devices"
run_podman stop -t 0 $cid
}
# 16925: --privileged + --systemd = share non-virtual-terminal TTYs (both rootful and rootless)
@test "podman run --privileged as root with systemd mounts non-vt /dev/tty devices" {
# First, confirm that we _have_ non-virtual terminal /dev/tty* devices on # First, confirm that we _have_ non-virtual terminal /dev/tty* devices on
# the host. # the host.
non_vt_tty_devices_count=$(find /dev -regex '/dev/tty[^0-9].*' | wc -w) non_vt_tty_devices_count=$(find /dev -regex '/dev/tty[^0-9].*' | wc -w)